Added VaultAwsCredentials

Author: mifitous

.gitignore

@@ -10,3 +10,4 @@ work/
 tmp/
 src/test/resources/com/datapipe/jenkins/vault/util/ssl/
 .DS_Store
+.vscode/

pom.xml

@@ -1,6 +1,5 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
-  <modelVersion>4.0.0</modelVersion>
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">  <modelVersion>4.0.0</modelVersion>
   <parent>
     <groupId>org.jenkins-ci.plugins</groupId>
     <artifactId>plugin</artifactId>
@@ -137,6 +136,11 @@
       <groupId>org.jenkins-ci.plugins</groupId>
       <artifactId>credentials-binding</artifactId>
     </dependency>
+    <dependency>
+      <groupId>org.jenkins-ci.plugins</groupId>
+      <artifactId>aws-credentials</artifactId>
+      <version>191.vcb_f183ce58b_9</version>
+    </dependency>
     <dependency>
       <groupId>io.jenkins</groupId>
       <artifactId>configuration-as-code</artifactId>

src/main/java/com/datapipe/jenkins/vault/credentials/VaultAwsIamCredential.java

@@ -24,7 +24,7 @@ public class VaultAwsIamCredential extends AbstractAuthenticatingVaultTokenCrede
 
     @DataBoundConstructor
     public VaultAwsIamCredential(@CheckForNull CredentialsScope scope, @CheckForNull String id,
-                                 @CheckForNull String description) {
+            @CheckForNull String description) {
         super(scope, id, description);
     }
 

src/main/java/com/datapipe/jenkins/vault/credentials/common/VaultAwsCredential.java

@@ -0,0 +1,24 @@
+package com.datapipe.jenkins.vault.credentials.common;
+
+import com.cloudbees.jenkins.plugins.awscredentials.AmazonWebServicesCredentials;
+import com.cloudbees.plugins.credentials.CredentialsNameProvider;
+import com.cloudbees.plugins.credentials.NameWith;
+import edu.umd.cs.findbugs.annotations.NonNull;
+import hudson.Util;
+
+@NameWith(value = VaultAwsCredential.NameProvider.class, priority = 32)
+public interface VaultAwsCredential extends AmazonWebServicesCredentials {
+
+    String getDisplayName();
+
+    class NameProvider extends CredentialsNameProvider<VaultAwsCredential> {
+
+        @NonNull
+        @Override
+        public String getName(VaultAwsCredential hashicorpVaultCredentials) {
+            String description = Util.fixEmpty(hashicorpVaultCredentials.getDescription());
+            return hashicorpVaultCredentials.getDisplayName() + (description == null ? ""
+                    : " (" + description + ")");
+        }
+    }
+}

src/main/java/com/datapipe/jenkins/vault/credentials/common/VaultAwsCredentialBinding.java

@@ -0,0 +1,95 @@
+package com.datapipe.jenkins.vault.credentials.common;
+
+import com.amazonaws.auth.AWSCredentials;
+import edu.umd.cs.findbugs.annotations.Nullable;
+import hudson.Extension;
+import hudson.FilePath;
+import hudson.Launcher;
+import hudson.model.Item;
+import hudson.model.Run;
+import hudson.model.TaskListener;
+import hudson.util.ListBoxModel;
+import java.io.IOException;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.Map;
+import java.util.Set;
+import javax.annotation.Nonnull;
+import org.jenkinsci.plugins.credentialsbinding.BindingDescriptor;
+import org.jenkinsci.plugins.credentialsbinding.MultiBinding;
+import org.kohsuke.stapler.AncestorInPath;
+import org.kohsuke.stapler.DataBoundConstructor;
+
+import com.amazonaws.auth.AWSCredentials;
+
+import static com.datapipe.jenkins.vault.configuration.VaultConfiguration.engineVersions;
+import static org.apache.commons.lang.StringUtils.defaultIfBlank;
+
+public class VaultAwsCredentialBinding extends
+        MultiBinding<VaultAwsCredential> {
+
+    public static final String DEFAULT_ACCESS_KEY_ID_VARIABLE = "AWS_ACCESS_KEY_ID";
+    public static final String DEFAULT_SECRET_ACCESS_KEY_VARIABLE = "AWS_SECRET_ACCESS_KEY";
+    private String accessKeyVariable;
+    private String secretKeyVariable;
+
+    @DataBoundConstructor
+    public VaultAwsCredentialBinding(@Nullable String accessKeyVariable,
+            @Nullable String secretKeyVariable,
+            String credentialsId) {
+        super(credentialsId);
+        this.accessKeyVariable = defaultIfBlank(accessKeyVariable, DEFAULT_ACCESS_KEY_ID_VARIABLE);
+        this.secretKeyVariable = defaultIfBlank(secretKeyVariable, DEFAULT_SECRET_ACCESS_KEY_VARIABLE);
+    }
+
+    @Override
+    protected Class<VaultAwsCredential> type() {
+        return VaultAwsCredential.class;
+    }
+
+    @Override
+    public MultiEnvironment bind(@Nonnull Run<?, ?> build, FilePath workspace, Launcher launcher,
+            TaskListener listener)
+            throws IOException, InterruptedException {
+        AWSCredentials credentials = this.getCredentials(build).getCredentials();
+        Map<String, String> map = new HashMap<String, String>();
+        map.put(this.accessKeyVariable, credentials.getAWSAccessKeyId());
+        map.put(this.secretKeyVariable, credentials.getAWSSecretKey());
+        return new MultiEnvironment(map);
+    }
+
+    public String getaccessKeyVariable() {
+        return accessKeyVariable;
+    }
+
+    public String getsecretKeyVariable() {
+        return secretKeyVariable;
+    }
+
+    @Override
+    public Set<String> variables() {
+        Set<String> variables = new HashSet<String>();
+        variables.add(this.accessKeyVariable);
+        variables.add(this.secretKeyVariable);
+        return variables;
+    }
+
+    @Extension
+    public static class DescriptorImpl extends BindingDescriptor<VaultAwsCredential> {
+
+        @Override
+        protected Class<VaultAwsCredential> type() {
+            return VaultAwsCredential.class;
+        }
+
+        @Override
+        public String getDisplayName() {
+            return "Vault AWS Credentials";
+        }
+
+        @SuppressWarnings("unused") // used by stapler
+        public ListBoxModel doFillEngineVersionItems(@AncestorInPath Item context) {
+            return engineVersions(context);
+        }
+    }
+}

src/main/java/com/datapipe/jenkins/vault/credentials/common/VaultAwsCredentialImpl.java

@@ -0,0 +1,134 @@
+package com.datapipe.jenkins.vault.credentials.common;
+
+import com.amazonaws.auth.AWSCredentials;
+import com.amazonaws.auth.BasicAWSCredentials;
+import com.cloudbees.jenkins.plugins.awscredentials.AmazonWebServicesCredentials;
+import com.cloudbees.plugins.credentials.CredentialsScope;
+import edu.umd.cs.findbugs.annotations.NonNull;
+import hudson.Extension;
+import hudson.model.Item;
+import hudson.model.ItemGroup;
+import hudson.util.FormValidation;
+import hudson.util.ListBoxModel;
+import hudson.util.Secret;
+import jenkins.model.Jenkins;
+import org.kohsuke.stapler.AncestorInPath;
+import org.kohsuke.stapler.DataBoundConstructor;
+import org.kohsuke.stapler.DataBoundSetter;
+import org.kohsuke.stapler.QueryParameter;
+
+import static com.datapipe.jenkins.vault.configuration.VaultConfiguration.engineVersions;
+import static com.datapipe.jenkins.vault.credentials.common.VaultHelper.getVaultSecretKey;
+import static org.apache.commons.lang.StringUtils.defaultIfBlank;
+
+@SuppressWarnings("ALL")
+public class VaultAwsCredentialImpl extends AbstractVaultBaseStandardCredentials implements
+        VaultAwsCredential {
+
+    public static final String DEFAULT_ACCESS_KEY_ID = "accessKeyID";
+    public static final String DEFAULT_SECRET_ACCESS_KEY = "secretAccessKey";
+
+    private static final long serialVersionUID = 1L;
+
+    private String accessKey;
+    private String secretKey;
+
+    @DataBoundConstructor
+    public VaultAwsCredentialImpl(CredentialsScope scope, String id,
+            String description) {
+        super(scope, id, description);
+    }
+
+    @NonNull
+    public String getAccessKey() {
+        return accessKey;
+    }
+
+    @DataBoundSetter
+    public void setAccessKey(String accessKey) {
+        this.accessKey = defaultIfBlank(accessKey, DEFAULT_ACCESS_KEY_ID);
+    }
+
+    @NonNull
+    public String getSecretKey() {
+        return secretKey;
+    }
+
+    @DataBoundSetter
+    public void setSecretKey(String secretKey) {
+        this.secretKey = defaultIfBlank(secretKey, DEFAULT_SECRET_ACCESS_KEY);
+    }
+
+    // @NonNull
+    // @Override
+    public String getAWSAccessKeyId() {
+        String accessKeyId = defaultIfBlank(accessKey, DEFAULT_ACCESS_KEY_ID);
+        return getVaultSecretKeyValue(accessKeyId);
+    }
+
+    // @NonNull
+    // @Override
+    public Secret getAWSSecretKey() {
+        String secretKeyId = defaultIfBlank(secretKey, DEFAULT_SECRET_ACCESS_KEY);
+        String secret = getVaultSecretKeyValue(secretKeyId);
+        return Secret.fromString(secret);
+    }
+
+    @NonNull
+    @Override
+    public AWSCredentials getCredentials(String mfaToken) {
+        return AmazonWebServicesCredentials.getCredentials(mfaToken);
+    }
+
+    @NonNull
+    @Override
+    public void refresh() {
+        // no-op
+    }
+
+    @Extension
+    public static class DescriptorImpl extends BaseStandardCredentialsDescriptor {
+
+        @Override
+        public String getDisplayName() {
+            return "Vault AWSAccessKeyId-AWSSecretKey Credential";
+        }
+
+        public FormValidation doTestConnection(
+                @AncestorInPath ItemGroup<Item> context,
+                @QueryParameter("path") String path,
+                @QueryParameter("accessKey") String accessKey,
+                @QueryParameter("secretKey") String secretKey,
+                @QueryParameter("prefixPath") String prefixPath,
+                @QueryParameter("namespace") String namespace,
+                @QueryParameter("engineVersion") Integer engineVersion) {
+
+            Jenkins.get().checkPermission(Jenkins.ADMINISTER);
+
+            String AWSAccessKeyId = null;
+            try {
+                AWSAccessKeyId = getVaultSecretKey(path, defaultIfBlank(accessKey, DEFAULT_ACCESS_KEY_ID),
+                        prefixPath,
+                        namespace, engineVersion, context);
+            } catch (Exception e) {
+                return FormValidation.error("FAILED to retrieve AWSAccessKeyId key: \n" + e);
+            }
+
+            try {
+                getVaultSecretKey(path, defaultIfBlank(secretKey, DEFAULT_SECRET_ACCESS_KEY), prefixPath,
+                        namespace,
+                        engineVersion, context);
+            } catch (Exception e) {
+                return FormValidation.error("FAILED to retrieve AWSSecretKey key: \n" + e);
+            }
+
+            return FormValidation
+                    .ok("Successfully retrieved AWSAccessKeyId " + AWSAccessKeyId + " and the AWSSecretKey");
+        }
+
+        @SuppressWarnings("unused") // used by stapler
+        public ListBoxModel doFillEngineVersionItems(@AncestorInPath Item context) {
+            return engineVersions(context);
+        }
+    }
+}

src/main/java/com/datapipe/jenkins/vault/credentials/common/VaultFileCredentialBinding.java

@@ -2,7 +2,7 @@
 
 import hudson.Extension;
 import hudson.FilePath;
-import java.io.IOException;;
+import java.io.IOException;
 import org.jenkinsci.Symbol;
 import org.jenkinsci.plugins.credentialsbinding.BindingDescriptor;
 import org.jenkinsci.plugins.credentialsbinding.impl.AbstractOnDiskBinding;

src/main/java/com/datapipe/jenkins/vault/jcasc/secrets/VaultAuthenticator.java

@@ -6,18 +6,23 @@
 
 public interface VaultAuthenticator {
     void authenticate(Vault vault, VaultConfig config) throws VaultException;
+
     static VaultAuthenticator of(String token) {
         return new VaultSingleTokenAuthenticator(token);
     }
+
     static VaultAuthenticator of(VaultAppRole appRole, String mountPath) {
         return new VaultAppRoleAuthenticator(appRole, mountPath);
     }
+
     static VaultAuthenticator of(VaultUsernamePassword vaultUsernamePassword, String mountPath) {
         return new VaultUserPassAuthenticator(vaultUsernamePassword, mountPath);
     }
+
     static VaultAuthenticator of(VaultKubernetes vaultKubernetes, String mountPath) {
         return new VaultKubernetesAuthenticator(vaultKubernetes, mountPath);
     }
+
     static VaultAuthenticator of(VaultAwsIam vaultAwsIam, String mountPath) {
         return new VaultAwsIamAuthenticator(vaultAwsIam, mountPath);
     }

src/main/resources/com/datapipe/jenkins/vault/credentials/common/VaultAwsCredentialBinding/config-variables.jelly

@@ -0,0 +1,10 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<?jelly escape-by-default='true'?>
+<j:jelly xmlns:j="jelly:core" xmlns:f="/lib/form" xmlns:st="jelly:stapler" xmlns:c="/lib/credentials">
+  <f:entry title="${%Access Key Variable}" field="accessKeyVariable">
+    <f:textbox default="AWS_ACCESS_KEY_ID"/>
+  </f:entry>
+  <f:entry title="${%Secret Key Variable}" field="secretKeyVariable">
+    <f:textbox default="AWS_SECRET_ACCESS_KEY"/>
+  </f:entry>
+</j:jelly>

src/main/resources/com/datapipe/jenkins/vault/credentials/common/VaultAwsCredentialBinding/help.html

@@ -0,0 +1,3 @@
+<div>
+    AWS Jenkins credential backed by a Hashicorp Vault AWS engine
+</div>